I would also install and use tcp Wrappers this limits the ip addresses that can connect to the open port.
Thanks Marc Aylesworth PAR C3I Group AFRL/IFSE Joint Battlespace Infosphere Team 525 Brooks Rd Rome, NY 13441-4505 Tel:315.330.2422 Fax:315.330.7009 Email: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bhaskar, KS Sent: Wednesday, April 12, 2006 12:10 PM To: hardhats-members@lists.sourceforge.net Subject: Re: [Hardhats-members] Which hole(s) in the firewall? John -- First, there is no reason to use a range of ports for CPRS. Use the direct connect technique, deploy a server (GTMLNX^XWBTCP) under inetd/xinetd and you just need a single port. The most secure approach might be to use ssh port forwarding from the client to the server, and open only ssh on the server. The client would forward a local port, e.g., 19297 to a port, e.g., 9297 (can be the same, or can be different) on the server. On Linux, this would be something like: "ssh -L 19297:localhost:9297 [EMAIL PROTECTED]" and CPRS clients would connect to the local computer at port 19297. Although this leverages the security of ssh, it does require a 2 step connection process (which can be scripted, of course) and the ssh tunnel may cause a slight "rubber band" effect to response time. Another alternative would be to deploy a listener at a port such as 9297, but to use some of [x]inetd's ability to secure a connection, e.g., by doing a reverse DNS lookup on the IP address. (There's actually much more that can be done, but I am not a security expert, unlike others on this list.) In the second case, the network traffic between the CPRS GUI and the server will not be encrypted. You could consider using something like stunnel to encrypt the traffic, but I am now skating on thin ice with respect to my expertise. -- Bhaskar On Wed, 2006-04-12 at 07:56 -0500, JohnLeoZ wrote: > After a year's work, I have been asked which ports I want opened for > my > VistA server. My main goal will be smooth after-hours access to CPRS. > I want SSH (port 22) of course. > > But my question is how much further should I go? > Do I need to open 9200-9210 for CPRS or would it be better tunneled > through port 22? > > Suggestions please. > > JohnLeoZ > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Hardhats-members mailing list > Hardhats-members@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/hardhats-members > ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Hardhats-members mailing list Hardhats-members@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hardhats-members ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Hardhats-members mailing list Hardhats-members@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hardhats-members
